Red Hat Bugzilla – Bug 828360
CVE-2012-2388 strongswan: authentication bypass due to RSA signature verification flaw
Last modified: 2012-07-09 21:11:33 EDT
strongSwan 4.6.4 was released  to fix a security flaw in 4.2.0 through to 4.6.3. If the gmp plugin were used for RSA signature verification with IKEv1 or IKEv2, an empty or zeroed signature was handled as a legitimate one. A connection definition using RSA authentication is required to exploit this flaw, and an attacker presenting a forged signature and/or certificate could authenticate as any legitimate user.
The fix is present in version 4.6.4 or as a patch .
Created strongswan tracking bugs for this issue
Affects: fedora-all [bug 828361]
Affects: epel-6 [bug 828362]